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DESCRIPTION 

EFFICIENT IMPLEMENTATION OF 
ZERO KNOWLEDGE PROTOCOLS 

5 

The present invention relates to zero knowledge protocols that allow 
the knowledge of some "secret" or private key information in a first party 
domain to be verified by a second party without imparting the actual secret 
information or private key to that second party or to any eavesdropping 

10 third party. In particular, the invention has application in the 
implementation of zero knowledge protocols in systems and devices that 
have restricted computational resource such as smart cards, mobile 
electronic devices and the like. 

Throughout the present specification, the first party owning the 

is secret information or private key ("s") and wishing to prove that it has 
possession of the information will be referred to as the "prover" ("P"); the 
second party wishing to verify that this is the case without actually receiving 
knowledge of the secret will be referred to as the "verifier" ("V"). The prover 
P and verifier V may be any suitable electronic device. The secret 

20 information may be any numeric value, hereinafter referred to as the secret 
number of the prover P. 

Zero knowledge protocols are very valuable tools that can be used 
for authentication of devices such as smart cards used in financial 
25 transactions, or in pay television access, and for identification of devices 
connecting to a network, such as mobile telephones and other electronic 
devices. 

Conventionally, the prover will offer a computationally difficult 
mathematical problem, and the verifier will ask for one of the two or more 
30 possible solutions to the problem. If the prover knows critical information 
relating to the solution, it is able to provide either (or any) of the requested 
available solutions on demand, according to the request of the verifier. If 
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the prover does not know the critical information, it is computationally 
infeasible for it to always be able to provide the requested solution to the 
verifier. 

Usually, zero knowledge protocols rely on some hard mathematical 
problems such as the factorisation of integers or the discrete logarithm 
problem. A drawback to these protocols is that they usually require 
extensive use of modular arithmetic which require greater computational 
resource than is desirable for lower power, limited capacity devices such as 
smart cards and portable electronic devices. Thus, a typical 
implementation time for the security protocols is greater than desirable. 

It is an object of the present invention to provide a more efficient 
method of implementing zero knowledge protocols in processor devices, 
and especially in devices that have low computational resource or low 
power. 

According to one aspect, the present invention provides a method of 
verifying the knowledge of a secret number s in a prover device by a 
verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein. 

According to another aspect, the present invention provides a prover 
device having contained therein a secret number s in Montgomery 
representation, the device adapted for proving the knowledge of the secret 
number s to a verifier device without conveying knowledge of the secret 
number itself, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein. 

According to another aspect, the present invention provides a 
verifier device for verifying the knowledge of a secret number s in a prover 
device without knowledge of the secret number itself, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein. 
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According to another aspect, the present invention provides a 
method of proving the knowledge of a secret number s in a prover device to 
a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein, comprising the steps of: 

selecting a random number, r, 

computing the Montgomery 3 th power of r to obtain x; 

transmitting xto a verifier device; 

receiving a challenge value, c; 

computing the Montgomery product of y = rx m s c ; and 
transmitting y to the verifier device. 

According to another aspect, the present invention provides a 
method of verifying the knowledge of a secret numbers in a prover device 
by a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein, comprising the steps of: 

receiving the Montgomery square voi the secret number s; 

receiving the Montgomery square, xof a random number, r, 

transmitting a challenge value, e to the prover device; 

checking the authenticity of the proverb response, y according to the 
Montgomery square of y verified against values of x and I ox v received 
from the prover device according to the challenge value e. 

According to another aspect, the present invention provides a 
method of verifying the knowledge of a secret number s in a prover device 
by a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein, comprising the steps of: 

receiving the Montgomery power of the secret number s; 

receiving the Montgomery e m power, xof a random number, n 

transmitting a challenge value, c to the prover device; 
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checking the authenticity of the pi-over's response, / according to the 
Montgomery e th power of y verified against the value of x Xm s ec received 
from the prover device according to the challenge value c. 

Embodiments of the present invention will now be described by way 
of example and with reference to the accompanying drawings in which: 

Figure' 1 shows a schematic flow diagram of a protocol according to 
the present invention; 

Figure 2 shows a block diagram of apparatus suitable for 
implementing the protocol of figure 1 ; and 

Figure 3 shows a schematic flow diagram of an alternative protocol 
according to the present invention. 

In a preferred example, the invention offers an improvement over the 
existing basic Fiat-Shamir protocol. 

The purpose of the Fiat-Shamir protocol is for the prover P to 
convince the verifier V that he knows a secret s (a number), but without 
revealing that secret to V, or indeed to anyone else who may eavesdrop on 
the protocol. 

To be effective, the protocol is conventionally conducted over a 
reasonably large number of rounds (or "trials"). Each round gives V an 
increasing degree of confidence that P does in fact know the number s. 

The number s remains private within the domain of the prover. In 
the first instance, the prover P provides the square of the number s modulo 
n to a trusted third party, v= s 2 mod n. For example, vmay be a public key 
for prover P, and the private key s is then the smallest case for which s = 
sqrt{\/) mod n. The trusted third party is also generally assumed to be the 
creator of the modulus n from its constituent prime factors. 

The trusted third party provides v to the verifier V. Since n is a 
product of at least two large primes unknown to V (typically a 1024 or 2048 
bit number), it is extremely difficult to factorise, and this in turn makes it 
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computationally infeasible to derive s given s 2 ; thus the trusted third party 
can give V the value of without revealing s. 

Each round of the Fiat-Shamir protocol works in three stages. 
Stage 1 

The prover P chooses a random number r mod n, and commits to it 
by calculating r 2 mod n and transmitting this to the verifier V. Note that the 
verifier V cannot compute r for the same reason as before - taking square 
roots modulo a large composite number of unknown factorisation is 
computationally infeasible. 
Stage 2 

The verifier V now chooses one of two questions to ask prover P. 
The prover does not know in advance which of these two questions he is 
going to be asked, but he will only be able to answer both of them correctly 
if he genuinely knows the secret s. The prover can ask either for the value 
of the product r.s mod n, or for the value of r that the prover has just 
chosen. 

This is generally performed by V sending a bit e to P indicating his 
choice of question, referred to as the "challenge" or "examination", such 
that the prover has to provide the answer, y = r.s e mod n, where e is in 
{0,1}. 
Stage 3 

The prover P provides y = r.s e mod n as requested and the verifier 
checks the result as follows. 

If the challenge was for e = 1 , the verifier expects to have received 
r.s mod n. The verifier cannot deduce any information about s from this, 
because r is a random number not known to V). Therefore, the verifier 
checks that the response squared (i.e. mod n, which should be (rsf mod 
n) is the same as i 2 * s 2 mod n. The verifier received t 2 from P in Stage 1 
of this round, and gets ( = v) from the trusted third party. 

If the challenge was for e = 0, the verifier expects to have received r, 
and checks that its square matches the value i 2 mod n provided in Stage 1 . 
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The point of challenge e = 0 becomes clear when consideration is 
given to how an impersonator of P might behave, without having 
knowledge of s. An impersonator who does not know s can fake (by pre- 
calculation) a correct answer to the e = 1 challenge, but this proves to be a 
gamble since he does not know in advance what question he will be asked. 
He could do this by: 

* selecting any random r, getting v from the trusted third party, and 
then sending (i 2 * v" 1 ) mod n to V during Stage 1 

* if he is challenged e = 1 by V at Stage 2, then he responds with r as 
his value of y in Stage 3 

this looks acceptable to V, which will check that y 2 = t 2 = (i 2 * v 1 ) * v. 

However, the impersonator will not, in this instance, be able to 
answer challenge e = 0 correctly, since he would need to present a square 
root of (i 2 * V 1 ) mod n, which in turn would require him to know a square 
root of v' 1 mod n. Equivalently, he needs to know a square root of v mod n 
i.e. he needs to know s to answer e = 0 correctly. 

On the other hand, the impersonator could gamble on being 
challenged e = 0. This just involves him selecting a random r, presenting i 2 
in Stage 1 and presenting r in Stage 3 in response to challenge e = 0, 
which again looks acceptable to V. But had he chosen this approach, he is 
unable to provide r.s mod n through lack of knowledge of s, if the challenge 
is e = 1 in Stage 2. 

The complete protocol requires execution of a sufficient number of 
rounds to satisfy V that it is in fact conversing with P, and not an 
impersonator, given that the impersonator has a 50:50 chance of selecting 
the correct strategy in each round. If the protocol requires 20 rounds, i.e. 
20 sequential correct responses to the challenge e = {0, 1}, the odds of an 
impersonator that does not know s successfully proving to V is less than 1 
in 1 ,000,000. For 40 rounds, that probability decreases to less than 1 in 
10 12 . 

Each round requires the use of a new value of r. The protocol also 
requires that the response to a challenge be provided within a time limit 
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determined by it being computationally infeasible that an impersonator can 
compute the answer to the challenge other than the straightforward 
multiplication r.s e mod n anticipated. 

It is clearly of benefit to ensure that all of the computation operations 
during execution of the protocol are easily performed by low power devices 
with restricted computational power, so that multiple successive rounds can 
be carried out quickly. 

According to the present invention, it has been recognised that zero 
knowledge protocols such as the Fiat-Shamir protocol discussed above can 
be implemented entirely using Montgomery representations of the numeric 
quantities used in the protocols. This offers significant improvements in 
computational efficiency for both the prover and verifier. 

The solution proposed is based on the Montgomery representation 
of a number z e Z n . The Montgomery representation z m of the number z is 
given by z m = zR mod n, where the number R is much larger than n, both R 
and n being known to the prover device and to the verifier device. 

Montgomery multiplication is performed as follows. For two 
numbers a m and b m being the Montgomery representation of the numbers a 
and £>, the modular multiplication is given by: 

Bm x m b m = a m b m PC^ mod n. 

As in the conventional Fiat-Shamir protocol, n is a publicly known 
modulus that is a product of two prime numbers p and q which remain 
secret in the domain of a trusted third party. 

With reference to figure 1, in this scheme, the secret s (step 101) 
can be regarded as the Montgomery representation of another number, s' 
A trusted third party may store the Montgomery representation of s' 2 , ie. s 2 
where the squaring is performed according to the Montgomery 
multiplication s 2 = s x m s, which we refer to hereinafter as v. This may be 
regarded as the public key for the prover, P. In general, the Montgomery 
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product s 2 is calculated (step 102) and provided to the verifier domain (step 
103) whether this is by way of a trusted third party 20 or otherwise directly 
from the prover. In this way, the integrity of the value v may be assured. 

These steps 101 to 103 may be regarded as an initial set up 
procedure which is executed once for many iterations or uses of the three 
stage protocol now to be described. 
Stage 1 

In the first stage of the modified protocol, P chooses a random 
number re Z n (step 105) which can be interpreted as the Montgomery 
representation of another number, f. P performs a Montgomery 
multiplication of rwith itself (step 106), yielding /* (hereinafter referred to as 
x), which is the Montgomery representation of r" 2 , and sends x (= i 2 ) to the 
verifier (step 107). 
Stage 2 

In the second stage of the modified protocol, the verifier V sends a 
challenge e e {0, 1} to the prover P (step 108). 
Stage 3 

In the third stage of the modified protocol, P computes the 
Montgomery multiplication of r and s e , ie. r x m s e , hereinafter referred to as 
y (step 110), and sends this number to the verifier, V (step 111). On 
receiving y (step 112), V then performs one of the following two checks 
depending upon the challenge value of e (step 113). 

In the case of e = 1 , V calculates the value for y Xm y, and the value 
for vx m x (step 115), and checks (step 116) whether the two calculated 
values are equal, ie. whether y 2 = (vx m x). This requires two Montgomery 
multiplications instead of two ordinary modular multiplications. 

In the alternate case of e = 0, the verifier V calculates y 2 = y x m y 
(step 120) which is equivalent to rx m r, because the term s e evaluates to 
unity). V then checks (step 1 21) whether y 2 (the Montgomery square of the 
number y that was sent in steps 111, 112) equals the number x ( = i 2 ) that 
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had been sent before in steps 106, 107. This requires only one 
, Montgomery multiplication instead of one ordinary modular multiplication. 

If either of the checks of steps 116 or 121 fails, that constitutes a 
failure of the protocol (step 122) and the verifier will conclude that prover P 
has failed to establish its knowledge of the secret s. 

If either of the checks of steps 116 or 121 evaluates as true, a 
decision is then made in step 125 as to whether further iterations of the 
protocol are required to satisfy the integrity of P, ie. to assure V that P has 
possession of the secret s (step 126). 

If further iterations are required, the protocol is repeated from step 
1 05 with a new random value, r. 

As a consequence of the modified protocol, both P and V have only 
to perform Montgomery multiplications (in steps 106, 110, and in steps 115, 
1 20 respectively) which are more efficient than ordinary multiplications mod 
n (as in the conventional Fiat-Shamir scheme): 

No numbers need be converted into Montgomery representation or 
the reverse during execution of the protocol, because the starting numbers, 
s, v, rare already in Montgomery representation. This makes the modified 
protocol even more efficient. 

It will be understood that the protocol requires that it must be 
computationally infeasible for an impersonator prover, P' to compute either 
a square root of (i 2 x m v' 1 ) or the square root of v, depending upon whether 
an impersonator P elects to gamble on a challenge e of either 1 or 0, and 
certainly computationally infeasible within a timeframe that would normally 
be accepted by V between transmission step 1 06 and receiving step 112. 

The protocol described above may be implemented in any suitable 
hardware or software. A preferred implementation is shown in figure 2. 

A prover device 10 may comprise a smart card or similar low power 
device, such as a pay-TV card, a credit card or a SIM card for a mobile 
telephone. The device 10 may comprise the smart card itself, or the card 
together with the device into which it is inserted. For example, where the 
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card is "read" (or interrogated) by a verifying device, the card itself may be 
provided with a limited processing capability in the form of processors 1 . 
Where the card is plugged into or used within a suitable device (such as a 
satellite TV receiver or mobile telephone) which can also be considered as 
forming part of the domain of P, then the processing capability 1 1 may 
reside in the device which receives the card. 

The verifier device 30 may be a card reader (for direct interrogation 
of, for example a credit card) or may be a remote device that interrogates a 
device into which the card is installed. For example, the verifier device 30 
may be a satellite TV transmitter that interrogates a set top box into which 
an authorisation card is inserted. Alternatively, the verifier device 30 could 
be a mobile telephony base station that communicates with a mobile 
telephone and its SIM card. 

In preferred arrangements, prover device 10 includes memory 
registers for s, r, x and y held in Montgomery representation, and a random 
number generator 12. 

In preferred arrangements, verifier device 30 includes a processor 
31 and registers for v and y in Montgomery representation; and a random 
number generator for e. 

In preferred arrangements, a trusted third party device 20 includes a 
processor 31 and maintains a register for v in Montgomery representation. 
The third party device may also be the provider of v and s as the public / 
private key pair for prover 10, and provide the value of n derived from 
secret prime numbers p and q. 

It will be understood that the expression "random" when used in 
connection with the generation of random number rand random value of e 
from the set {0, 1} implies merely that the value of ror e selected by the 
sending party must be sufficiently unpredictable in the receiving party 
domain that no useful pattern of values for prediction of or inference about 
the next value to be issued can be determined by the receiving party. 

Each of the devices 10, 20, 30 may be in communication with one 
another using any suitable connection by which data transfer may be 
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made. This includes wireless links using any suitable medium such as 
radio, microwave, optical, infrared, sonic and the like. The connections 
may be by way of direct electrical connections, transient or permanent, or 
via a switching or packet based network. 

As discussed earlier, it has been determined that the Fiat-Shamir 
protocol can be modified to operate with Montgomery representations of 
numbers and Montgomery arithmetic. The principle is also found to extend 
to other protocols based on an RSA-like structure. A further example is 
now given in which the Guillou-Quisquater protocol is adapted to use 
Montgomery representations of numbers. 

The Guillou-Quisquater protocol is an extension of the Fiat-Shamir 
protocol making use of higher powers. It allows a reduction in both the 
number of messages and memory requirements for establishing a prover"s 
knowledge of a secret number, s. 

In the Guillou-Quisquater protocol, a trusted third party chooses two 
RSA primes p and q and computes the product n = pq. The trusted third 
party defines a public exponent e > 3 with gcd(e, <j)(n)) = 1 and computes its 
private exponent d= e" 1 mod <|>(n). The system parameters (e, n) are made 
public. 

With reference to figure 3, in the modified protocol according to the 
present invention, all the numbers are given in Montgomery representation 
and all computations are done using Montgomery arithmetic. The secret of 
the prover P is s e Z n (step 301) and may be considered as the 
Montgomery representation of another number sf. The trusted third party 
TTP then computes and stores the Montgomery representation of s' e , ie. s 
x m s x m s ... x m s (e times). The verifier V receives and stores s e from the 
trusted third party. 

The protocol proceeds as follows: 

P chooses a number re Z n at random (step 305). r can be 
considered as the Montgomery representation of another number r*. P then 
computes the Montgomery power of r : x = f (ie. rx m rx m r ... x m r (e 
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times)) and sends x to the verifier V (step 306). Note that x is the 
Montgomery representation of f °. 

V receives x (step 307) and chooses a challenge value c e {0, 1 , .... 
e - 1} at random, which V sends to P (step 308). 

In response to the challenge c, P computes y = rx m s° mod n (step 
310) and sends yto V (step 31 1). 

On receipt of y (step 312), V calculates the Montgomery power / 
(step 313) and the Montgomery power s ec (step 314) and checks to see if 
/ = x x m s ec (step 315). If it does not, the protocol fails (step 322) and V 
must conclude that P does not know s. 

If the check proves that / = x x m s 8C , then V checks to see whether 
sufficient iterations of the protocol have been carried out to verify that V 
knows s to a sufficient degree of certainty (step 325). If yes, the process 
terminates (step 326), and if not, the protocol is repeated with the selection 
of a new random number r by P (step 305). It is a general goal of the 
Guillou-Quisquater protocol that you need perform fewer rounds than in the 
Fiat-Shamir protocol in order to achieve a comparable degree of certainty. 

Other embodiments are intentionally within the scope of the 
accompanying claims. 
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CLAIMS 

1 . A method of verifying the knowledge of a secret number s in a 
prover device by a verifier device having no knowledge of the secret 
number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein. 



2. The method of claim 1 in which the zero knowledge protocol 
is the Fiat-Shamir protocol. 

3. The method of claim 1 in which the zero knowledge protocol 
is the Guillou-Quisquater protocol. 

4. The method of claim 2 including the steps of: 

(i) providing to the verifier device a value v = s 2 being the Montgomery 
multiplication of the secret number s by itself; 

(ii) computing, by the prover device, the value x= rx m r, where r is a 
random number and transmitting the value of xto the verifier device; 

(iii) selecting, by the verifier device, a challenge value of e from the set 
{0, 1} and transmitting the challenge value to the prover device; 

(iv) computing, by the prover device, the value y = r x m s 0 and 
transmitting the value y to the verifier device; and 

(v) the verifier device checking the authenticity of the prover's response 
according to the values of x, y and v previously received and according to 
the challenge value e. 



5. The method of claim 4 wherein the step of checking the 
authenticity of the prover's response comprises the steps of: 

for a challenge value of e = 1, computing the values of y x m y and v 
Xm x and checking that they are the same; or 
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for a challenge value of e = 0, computing the value of y x m y and 
checking that it is the same as the previously received value of x. 

6. The method of claim 4 or claim 5 further including the steps of 
repeating steps (ii) to (v) for a number of consecutive rounds to confirm the 
authenticity of the prover device. 

7. The method of claim 4 or claim 5 in which the secret number 
s is a Montgomery representation of another number s' known in the prover 
device domain but not in the verifier device domain, further including the 
step of computing, by the prover device, the value of s from s' according to 
s = sR mod n, where R > n, values of n and R being used by both the 
prover device and the verifier device. 

8. The method of claim 4 in which the Montgomery 
multiplications of s x m s, rxn r, and r ><„, s e are carried out according to the 
formula a x m b = a£>R~ 1 mod n, where R > n, values of n and R being used 
by both the prover device and the verifier device. 

9. The method of claim 5 in which the Montgomery 
multiplications of y Xm y and s 2 x m xare carried out according to the formula 
a x m b = abR~ 1 mod n, where R > n, values of n and R being used by both 
the prover device and the verifier device. 

10. The method of claim 1 in which all computations in the zero 
knowledge protocol are performed using Montgomery representation of 
numbers and using Montgomery multiplication operations. 

1 1 . The method of claim 3 including the steps of: 

(i) providing to the verifier device a value s e being the Montgomery e m 
power of the secret number s; 
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(ii) computing, by the prover device, the value x = I s , being the 
Montgomery e m power of r where r is a random number, and transmitting 
the value of xto the verifier device; 

(iii) selecting, by the verifier device, a challenge value of c from the set 
{0, 1 .... e- 1} and transmitting the challenge value to the prover device; 

(iv) computing, by the prover device, the value y = r Xm s° and 
transmitting the value y to the verifier device; and 

(v) the verifier device checking the authenticity of the prover's response 
according to the values of x, y and s* previously received according to the 
challenge value c. 

12. The method of claim 11 wherein the step of checking the 
authenticity of the prover's response comprises the step of: 

computing the values of f and x x m s ec and checking that they are 
the same. 

1 3. The method of claim 1 1 or claim 1 2 further including the steps 
of repeating steps (ii) to (v) for a number of consecutive rounds to confirm 
the authenticity of the prover device. 

14. A prover device having contained therein a secret number s 
in Montgomery representation, the device adapted for proving the 
knowledge of the secret number s to a verifier device without conveying 
knowledge of the secret number itself, with a zero-knowledge protocol 
using the Montgomery representation of. numbers and Montgomery 
multiplication operations therein. 

1 5. The prover device of claim 1 4 further including: 
means for selecting a random number, r, 

means for computing the Montgomery square of rto obtain x, 
means for transmitting xto a verifier device; 
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means for receiving a challenge value, e; 

means for computing the Montgomery product of y = rx m s; and 

means for transmitting y to the verifier device. 

1 6. The prover device of claim 14 further including: 
means for selecting a random number, r, 

means for computing the Montgomery e th power of rto obtain x; 

means for transmitting x to a verifier device; 

means for receiving a challenge value, c, 

means for computing the Montgomery product of y = rx m s\ and 

means for transmitting y to the verifier device. 

17. A verifier device for verifying the knowledge of a secret 
number s in a prover device without knowledge of the secret number itself, 
with a zero-knowledge protocol using the Montgomery representation of 
numbers and Montgomery multiplication operations therein. 

1 8. The verifier device of claim 1 7 further including: 

means for receiving the Montgomery square v of the secret number 

s\ 

means for receiving the Montgomery square, x of a random number, 

n 

means for transmitting a challenge value, e to the prover device; 

means for checking the authenticity of the prover's response, y 
according to the Montgomery square of y verified against values of x and / 
or v received from the prover device according to the challenge value, e. 

19. The verifier device of claim 17 further including: 

means for receiving the Montgomery e th power, s e of the secret 
number s; 
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means for receiving the Montgomery e th power, x of a random 
number, r, 

means for transmitting a challenge value, c to the prover device; 

means for checking the authenticity of the proverb response, y 
according to the Montgomery e ,h power of / verified against the value of x 
Xm s 60 received from the prover device, according to the challenge value, a 

20. A method of proving the knowledge of a secret number s in a 
prover device to a verifier device having no knowledge of the secret 
number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein, comprising the steps of: 

selecting a random number, r, 

computing the Montgomery power of rto obtain x, 

transmitting x\o a verifier device; 

receiving a challenge value, c, 

computing the Montgomery product of y = rx m s c ; and 
transmitting y to the verifier device. 

21 . A method of verifying the knowledge of a secret number s in a 
prover device by a verifier device having no knowledge of the secret 
number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein, comprising the steps of: 

receiving the Montgomery square vof the secret number s; 

receiving the Montgomery square, xof a random number, r, 

transmitting a challenge value, e to the prover device; 

checking the authenticity of the proverb response, y according to the 
Montgomery square of y verified against values of x and / or v received 
from the prover device according to the challenge value e. 
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22. A method of verifying the knowledge of a secret number s in a 
prover device by a verifier device having no knowledge of the secret 
number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein, comprising the steps of: 

receiving the Montgomery e th power of the secret number s; 

receiving the Montgomery e th power, xof a random number, r, 

transmitting a challenge value, cto the prover device; 

checking the authenticity of the prover's response, y according to the 
Montgomery e** 1 power of y verified against the value of x x m s ec received 
from the prover device according to the challenge value c. 

23. A computer program product, comprising a computer 
readable medium having thereon computer program code means adapted, 
when said program is loaded onto a computer, to make the computer 
execute the procedure of any one of claims 1 to 13 and 19 to 22. 

24. A computer program, distributable by electronic data 
transmission, comprising computer program code means adapted, when 
said program is loaded onto a computer, to make the computer execute the 
procedure of any one of claims 1 to 13 and 19 to 22. 

25. Apparatus substantially as described herein with reference to 
the accompanying drawings. 

26 .A method substantially as described herein with reference to 
the accompanying drawings. 
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ABSTRACT 

EFFICIENT IMPLEMENTATION OF 
ZERO KNOWLEDGE PROTOCOLS 

Zero knowledge protocols, such as the Fiat-Shamir and Guillou- 
Quisquater protocols are implemented using only Montgomery 
multiplications on Montgomery representations of numbers to effect a more 
efficient implementation of the protocols, particularly in devices that have 
restricted computational resource such as smart cards and other portable 
electronic devices. 

[Figure 1] 
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